Computer access control using password reset

ABSTRACT

The present invention relates to a method for method or system which is able to control access to a new computer user password reset. The system is preloaded with a random password that does not needed to be known by anyone. There are two main situations in which this method will be used. The first situation involves a locally managed password and account where the user does not log in to a domain. The second situation involves remote management, where the user logs in to a domain.

FIELD OF THE INVENTION

The present invention relates generally to providing access control to acomputer using password reset.

BACKGROUND OF THE INVENTION

New computerized devices are typically shipped without any startuppasswords. Passwords are added as the system is powered up, or as userinformation is provided. This provides little to no validation of therecipient's identity, thus allowing for theft. This is problematic,particularly in cases where the computers have been pre-installed withspecific proprietary software that should only be available to theintended end-user. A separate power-on password can be dispatchedoutside the computerized device, but these separate passwords can beintercepted. Thus, this method of validation is also not fail proof.

Further, if a computer has been received by the intended user, but theuser forgets the password, there is no known way to reset the passwordwhile ensuring the identity of the user. In the current state of theart, at boot time, the BIOS queries for a power-on password. As part ofATAPI standard, computers have implemented a hard disk password as well.Without the input of the correct hard drive password, the drive will notallow any other command to be executed. This is enforced on the harddrive. The BIOS queries the user for the password and passes it throughto the hard drive. Using this implementation, if the hard drive ispulled out of its current computer and placed in another system, thedrive password does not change, and the hard drive can be accessed bythe same user. However, if the password is forgotten, the system isinaccessible.

Thus, there exists a need in the art to control access to a new computerand reset the hardware password. Such a method would ensure that astolen or misplaced computer could not be improperly used.

SUMMARY OF THE INVENTION

This present invention broadly relates to a method or system which isable to control access to a computer using a hardware password reset.

In summary, one aspect of the invention provides an apparatus forpermitting a system password reset for a user in the context of asystem, said apparatus comprising an arrangement for recognizing aunique system identifier; an arrangement for accepting user input tocompare with the unique system identifier; and an arrangement forpermitting a system password reset upon a match involving the user inputand the unique system identifier.

Another aspect of the invention provides a method for permitting asystem password reset for a user in the context of a system, said methodcomprising the steps of recognizing a unique system identifier;accepting user input to compare with the unique system identifier; andpermitting a system password reset upon a match involving the user inputand the unique system identifier.

Furthermore, an additional aspect of the present invention provides aprogram storage device readable by machine, tangibly embodying a programof instructions executable by the machine to perform method stepspermitting a system password reset for a user in the context of asystem, said method comprising the steps of providing a unique systemidentifier; accepting user input to compare with the unique systemidentifier; and permitting a system password reset upon a matchinvolving the user input and the unique system identifier.

For a better understanding of the present invention, together with otherand further features and advantages thereof, reference is made to thefollowing description and the scope of the invention will be pointed outin the appended claims.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

As mentioned above, the present invention relates to a method for methodor system which is able to control access to a new computer userpassword reset. The system is preferably preloaded with a randompassword that does not need to be known by anyone. There are two mainsituations in which this method will be used. The first situationinvolves a locally managed password and account where the user does notlog in to a domain. The second situation involves remote management,where the user logs in to a domain. This method is implemented using apassword that is set to a random value, along with an LDAP (LightweightDirectory Access Protocol) account activation that is controlled by theInformation Technology (IT) organization. This arrangement allows the ITorganization to control when the user can first access the system. Themethod of the instant invention is able to deal with both situationssuccessfully.

The first situation, as discussed above, involves using password resetin a locally administered mode. In this mode, the first steps taken willbe to generate and set a random password on the system when it ismanufactured or configured for shipment to an end user. The password issubsequently discarded by the configuration infrastructure, but retainedon the system. In addition to setting a random password, a unique valuewill be created. This value will be signed (encrypted) using half of agenerated key pair, and then inserted into a secured location on thesystem when the system's image is installed.

This secure locate can include one of many locations on the system, suchas TCPA (Trusted Computing Platform Alliance) chip or module, encryptedon the hard drive, or in a secured area in BIOS, for example. The otherhalf of the generated key pair is shipped to the intended end user.

This unique value will preferably be made up of a combination of one orseveral components. The components could be derived from informationintrinsic to that specific system, such as machine-type & model and/orserial number data, or a combination of such pieces of data. Thecomponent could also be the system's BIOS's public key, or atransformation of the key. The key is attained through a process used tovalidate the BIOS. Before the system is shipped to the end user, theBIOS data is hashed, resulting in a hash number and a public/private keypair. The private key is used to encrypt the hash of the BIOS, so thatthe hash number cannot be altered. This hash is saved on the system asthe BIOS signature. The system is shipped to the end user, and as thesystem is powered on and verified, the BIOS is rehashed. The BIOS publickey is used to decrypt the hash signature, and the two hash values arecompared to determine if the BIOS has been altered. Other BIOS-suppliedor system characteristics can be used as, or in combination with, thecomponents that compose the unique value.

When the system is powered up for the first time, the system wouldcombine the components (for example, the intrinsic component and theBIOS-supplied component) as necessary to recreate the original uniquevalue. The system would then query the recipient for the second half ofthe generated key pair, retrieve the encrypted value from the securedarea, and decrypt it using the second half of the key pair. If thenewly-generated value and the decrypted value match, the user would beallowed to change the password.

The second situation, as discussed above, involves using the passwordreset in a centrally or remotely administered mode, such as LDAP, ActiveDirectory, Kerberos or another similar environment. In this mode, thefirst steps taken will be to generate and set a random password on thesystem when it is manufactured or configured for shipment to an enduser. The password is subsequently discarded by the configurationinfrastructure, but retained on the system. The system will be preparedwith a secure Operating System that can connect to the directory. Whilethe system is being configured, a unique value will be generated usinginformation intrinsic to the system, such as machine-type and modeland/or serial number. The intrinsic information is hashed and storedwith the user's information in the directory.

When the system is powered up for the first time, the system will offerthe user the opportunity to reset the password. When the user selects toreset the password, the secure Operating System will boot and connect tothe directory. The user will be challenged to authenticate themselves tothe directory.

If the user is able to successfully authenticate to the directory, thesecure OS then identifies and authenticates the system to the directoryby comparing a hash of its intrinsic information against thecorresponding information stored in the directory. If the two hashesmatch, the secure Operating System permits the user to reset theirpassword on the system.

It is to be understood that the present invention, in accordance with atleast one presently preferred embodiment, includes elements which may beimplemented on at least one general-purpose computer running suitablesoftware programs. These may also be implemented on at least oneIntegrated Circuit or part of at least one Integrated Circuit. Thus, itis to be understood that the invention may be implemented in hardware,software, or a combination of both.

If not otherwise stated herein, it is to be assumed that all patents,patent applications, patent publications and other publicationsmentioned and cited herein are hereby fully incorporated by referenceherein as if set forth in their entirety herein.

Although illustrative embodiments of the present invention have beendescribed herein with reference to the accompanying drawings, it is tobe understood that the invention is not limited to those preciseembodiments, and that various other changes and modifications may beaffected therein by one skilled in the art without departing from thescope or spirit of the invention.

1. An apparatus for permitting a system password reset for a user in thecontext of a system, said apparatus comprising: an arrangement forrecognizing a unique system identifier; an arrangement for acceptinguser input to compare with the unique system identifier; and anarrangement for permitting a system password reset upon a matchinvolving the user input and the unique system identifier.
 2. Theapparatus according to claim 1, wherein: said arrangement forrecognizing a unique system identifier acts to recognize a system hash;said arrangement for accepting user input acts to create auser-associated hash; and said arrangement for permitting a systempassword reset acts to permit a system password reset upon a matchinvolving the system hash and the user-associated hash.
 3. The apparatusaccording to claim 1, wherein: the system comprises a locally accessiblesystem; and said arrangement for recognizing a unique system identifieracts to recognize an encrypted unique system value in a private key of apublic/private key pair.
 4. The apparatus according to claim 3, whereinsaid arrangement for accepting user input acts to query a local user fora public key of a public/private key pair.
 5. The apparatus according toclaim 4, wherein said arrangement for permitting a system password resetacts to permit a system password reset upon a match involving a publickey and private key.
 6. The apparatus according to claim 2, wherein saidarrangement for permitting a system password reset acts to replace apassword that previously has been randomly generated.
 7. The apparatusaccording to claim 1, wherein said arrangement for recognizing a uniquesystem identifier acts to recognize a BIOS hash.
 8. The apparatusaccording to claim 1, wherein: the system acts to access a remotelyaccessible environment; said arrangement for recognizing a unique systemidentifier acts to recognize a system hash along with user informationat a remotely accessible environment; said arrangement for acceptinguser input acts to create a user-associated hash; and said arrangementfor permitting a system password reset acts to permit a system passwordreset upon a match involving the system hash and the user-associatedhash.
 9. The apparatus according to claim 8, wherein the remotelyaccessed environment comprises at least one of LDAP and ActiveDirectory.
 10. A method for permitting a system password reset for auser in the context of a system, said method comprising the steps of:recognizing a unique system identifier; accepting user input to comparewith the unique system identifier; and permitting a system passwordreset upon a match involving the user input and the unique systemidentifier.
 11. The method according to claim 10, wherein: said step ofrecognizing a unique system identifier comprises recognizing a systemhash; said step of accepting user input comprises creating auser-associated hash; and said step of permitting a system passwordreset comprises permitting a system password reset upon a matchinvolving the system hash and the user-associated hash.
 12. The methodaccording to claim 10, wherein: the system comprises a locallyaccessible system; and said step of recognizing a unique systemidentifier comprises recognizing an encrypted unique system value in aprivate key of a public/private key pair.
 13. The method according toclaim 12, wherein said step of accepting user input comprises querying alocal user for the public key of the public/private key pair.
 14. Themethod according to claim 13, wherein said step of permitting a systempassword reset comprises permitting a system password reset upon a matchinvolving the public key and the private key.
 15. The method accordingto claim 11, wherein said step of permitting a system password resetcomprises replacing a password that previously has been randomlygenerated.
 16. The method according to claim 10, wherein said step ofrecognizing a unique system identifier comprises recognizing a BIOShash.
 17. The method according to claim 10, wherein: the system acts toaccess a remotely accessible environment; said step of recognizing aunique system identifier comprises recognizing a system hash along withuser information at the remotely accessible environment; said step ofaccepting user input comprises creating a user-associated hash; and saidstep of permitting a system password reset comprises permitting a systempassword reset upon a match involving the system hash and theuser-associated hash.
 18. The method according to claim 17, wherein theremotely accessed environment comprises at least one of LDAP and ActiveDirectory.
 19. A program storage device readable by machine, tangiblyembodying a program of instructions executable by the machine to performmethod steps permitting a system password reset for a user in thecontext of a system, said method comprising the steps of: providing aunique system identifier; accepting user input to compare with theunique system identifier; and permitting a system password reset upon amatch involving the user input and the unique system identifier.